Freeradius 2.0 - vmps feature, inaccuracies on FreeNAC

Phil Mayers p.mayers at imperial.ac.uk
Tue Jul 10 18:46:25 CEST 2007 

> 
> VMPS is only one part of the problem.
> Do you want to add a Database, Client Security tools/interfaces, policy
> engine, 
> interfaces to AntiVirus servers, scanners, Patch servers, and so to
> FreeRadius?

Yes. By implementing EAP-TNC.

> I thought Freeradius concentrates on the authentication protocols, not
> the
> network integration aspects? 

Perhaps you could explain, if FreeRadius supported EAP-TNC, why I as a
medium/large organisation would possibly want to use FreeNAC? Bearing in
mind that (correct me if I'm wrong) FreeNAC consists of:

 * a database schema
 * a web editor for said database
 * a gui editor for said database (bleh)
 * a freeradius config to authenticate off that database
 * a patched version of openvmps to query off that database
 * yet another re-implementation of netdisco (www.netdisco.org) talking
to the same database
 * some helper utilities for pulling info from SMS/Wsus

We (for example) already have a network/vlan/switchh/host/router
database, SQL schema and SQL servers, web interface to same, device
management/discover/polling and helper utilties hooked up to wsus.

I'm not saying what FreeNAC is doing is wrong, but it does not help to
represent it as something it's not. I would have understood this a lot
more:

"""FreeNAC is a standard database schema, GUI and set of management
tools for running access-controlled LAN networks. It uses FreeRadius and
OpenVMPS, running against MySQL, to perform its job."""


If you're interested, perhaps I can make some constructive suggestions
about ways FreeNAC could offer actual added value to medium/large orgs.
All this is, of course, my personal opinion (and I've got to tell you,
you've zero chance of selling to us because we don't work that way, but
anyway... ;o):

 * a GPLed, ActiveX / Java / other browser-based endpoint posture
assessment client, for use in fallback non-802.1x (walled-garden) mode.

 * contribute working EAP-TNC to FreeRadius

 * contribute working PEAPv2 and whatever-the-vista-posture-protocol is
called

 * liase with the FreeRadius SQL developers to come up with the most
appropriate SQL schema; ideally (from your PoV) the FreeNAC SQL schema
could become the default for new FreeRadius installs.

Hope that perspective is useful.

More information about the Freeradius-Users mailing list